Thank to giulia scrammed for notifying me that shadowing DebugCtl.BTF into DR7.GE doesn't work at new Intel CPUs under windows 7 (works fine at older models like Core2Duo) - refer to http://x86asm.net/articles/backdoor-support-for-control-transfer-breakpoint-features/index.html

My project (http://fdbg.x86asm.net) uses the DebugCtl feature (the menu Control -> Toggle DebugCtlMSR....) so I started a research which took me about 1 hour to find a way where to apply a patch to add the support.

Big thank go also to fyyre for publishing a method how to patch ms win x64 kernel and disable Patchguard (fyyre.net, http://fyyre.l2-fashion.de, disable_pg_ds.rar)



why it is not working - one flag prevents to save/restore extended debug register state, here is it:


KiSaveDebugRegisterState
...	65f604254a4d000002	test	byte [gs:4D4Ah],2
...				jz	skip
...				saving extended debug register state
skip:


where is the origin of the bit 1 of byte gs:4D4Ah ???


using SimNow 4.6.2 (http://developer.amd.com/cpu/simnow/Pages/default.aspx) and iso image of ws2008R2x64SP1 (7601.17514.101119-1850_x64fre_server_eval_en-us-GRMSXEVAL_EN_DVD.iso)
vp_bd_phase1.bsd, the iso image mounted as DVD to boot
these commands (intercepting writing into MSR_GS_BASE C0000101h, determining the value in the MSR, intercepting writing 4D4Ah bytes after the value in MSR)


br c0000101
g
r edx
edx=fffff800
r eax
eax=0d43dd00
d fffff8000d43dd00
bm FFFFF8000D442A4A,l w
g
u rip
0010:FFFFF8000D503AB1 898BC84B0000     mov [rbx+00004bc8h],ecx
r rbx
rbx=FFFFF8000D43DE80
r ecx
ecx=203B7DFE


0010:FFFFF8000D503AAA 8B8C24A0000000   mov ecx,[rsp+000000a0h]	; ecx = 203B7DFE, rsp = FFFFF8000DC07ED0
0010:FFFFF8000D503AB1 898BC84B0000     mov [rbx+00004bc8h],ecx	; rbx = FFFFF8000D43DE80
0010:FFFFF8000D503AB7 488B9C24B0000000 mov rbx,[rsp+000000b0h]
0010:FFFFF8000D503ABF 4883C460         add rsp,60h
0010:FFFFF8000D503AC3 415F             pop r15
0010:FFFFF8000D503AC5 415E             pop r14
0010:FFFFF8000D503AC7 415D             pop r13
0010:FFFFF8000D503AC9 415C             pop r12
0010:FFFFF8000D503ACB 5F               pop rdi
0010:FFFFF8000D503ACC 5E               pop rsi
0010:FFFFF8000D503ACD 5D               pop rbp
0010:FFFFF8000D503ACE C3               retnq


so the bit 1 of gs:4D4Ah is bit 11h of ECX at 0010:FFFFF8000D503AB1





now IDA analysis of ntoskrnl.exe, hexadecimal search for bytes 898BC84B0000 and scrolling up to find the begin of the whole procedure (which has the name KiSetFeatureBits - requires symbols to obtain the name)


KiSetFeatureBits:

PAGELK:00000001402B8410 ; =============== S U B R O U T I N E =======================================
PAGELK:00000001402B8410
PAGELK:00000001402B8410
PAGELK:00000001402B8410 sub_1402B8410   proc near               ; CODE XREF: sub_1402C8050+2A7p
PAGELK:00000001402B8410
PAGELK:00000001402B8410 var_78          = qword ptr -78h
PAGELK:00000001402B8410 var_68          = dword ptr -68h
PAGELK:00000001402B8410 var_64          = byte ptr -64h
PAGELK:00000001402B8410 var_60          = dword ptr -60h
PAGELK:00000001402B8410 var_5C          = dword ptr -5Ch
PAGELK:00000001402B8410 var_58          = byte ptr -58h
PAGELK:00000001402B8410 var_54          = dword ptr -54h
PAGELK:00000001402B8410 var_50          = dword ptr -50h
PAGELK:00000001402B8410 BugCheckParameter1= qword ptr -4Ch
PAGELK:00000001402B8410 var_3C          = dword ptr -3Ch
PAGELK:00000001402B8410 arg_0           = dword ptr  8
PAGELK:00000001402B8410 arg_8           = dword ptr  10h
PAGELK:00000001402B8410 arg_10          = qword ptr  18h
PAGELK:00000001402B8410
PAGELK:00000001402B8410                 mov     [rsp+arg_10], rbx
PAGELK:00000001402B8415                 push    rbp
PAGELK:00000001402B8416                 push    rsi
PAGELK:00000001402B8417                 push    rdi
PAGELK:00000001402B8418                 push    r12
PAGELK:00000001402B841A                 push    r13
PAGELK:00000001402B841C                 push    r14
PAGELK:00000001402B841E                 push    r15
PAGELK:00000001402B8420                 sub     rsp, 60h
PAGELK:00000001402B8424                 mov     rbx, rcx
PAGELK:00000001402B8427                 lea     r8, [rsp+98h+var_68]
PAGELK:00000001402B842C                 xor     edx, edx
PAGELK:00000001402B842E                 xor     ecx, ecx
PAGELK:00000001402B8430                 call    KiCpuId
PAGELK:00000001402B8435                 mov     eax, [rsp+98h+var_5C]
PAGELK:00000001402B8439                 mov     r12d, [rsp+98h+var_60]
PAGELK:00000001402B843E                 lea     rcx, [rsp+98h+var_64]
PAGELK:00000001402B8443                 mov     [rsp+98h+var_60], eax
PAGELK:00000001402B8447                 mov     [rsp+98h+var_5C], r12d
PAGELK:00000001402B844C                 mov     rax, [rcx]
PAGELK:00000001402B844F                 xor     r13d, r13d
PAGELK:00000001402B8452                 lea     rdx, aAuthenticamd ; "AuthenticAMD"
PAGELK:00000001402B8459                 mov     [rbx+4BB8h], rax
PAGELK:00000001402B8460                 mov     eax, [rcx+8]
PAGELK:00000001402B8463                 lea     edi, [r13+0Ch]
PAGELK:00000001402B8467                 lea     rcx, [rsp+98h+var_64] ; char *
PAGELK:00000001402B846C                 mov     r8, rdi         ; size_t
PAGELK:00000001402B846F                 mov     [rbx+4BC4h], r13b
PAGELK:00000001402B8476                 mov     [rbx+4BC0h], eax
PAGELK:00000001402B847C                 call    strncmp
PAGELK:00000001402B8481                 lea     r15d, [r13+1]
PAGELK:00000001402B8485                 cmp     eax, r13d
PAGELK:00000001402B8488                 jnz     short loc_1402B8493
PAGELK:00000001402B848A                 mov     [rbx+63Dh], r15b
PAGELK:00000001402B8491                 jmp     short loc_1402B84D9
PAGELK:00000001402B8493 ; ---------------------------------------------------------------------------
PAGELK:00000001402B8493
PAGELK:00000001402B8493 loc_1402B8493:                          ; CODE XREF: sub_1402B8410+78j
PAGELK:00000001402B8493                 lea     rdx, aGenuineintel ; "GenuineIntel"
PAGELK:00000001402B849A                 lea     rcx, [rsp+98h+var_64] ; char *
PAGELK:00000001402B849F                 mov     r8, rdi         ; size_t
PAGELK:00000001402B84A2                 call    strncmp
PAGELK:00000001402B84A7                 cmp     eax, r13d
PAGELK:00000001402B84AA                 jnz     short loc_1402B84B5
PAGELK:00000001402B84AC                 mov     byte ptr [rbx+63Dh], 2
PAGELK:00000001402B84B3                 jmp     short loc_1402B84D9
PAGELK:00000001402B84B5 ; ---------------------------------------------------------------------------
PAGELK:00000001402B84B5
PAGELK:00000001402B84B5 loc_1402B84B5:                          ; CODE XREF: sub_1402B8410+9Aj
PAGELK:00000001402B84B5                 lea     rdx, aCentaurhauls ; "CentaurHauls"
PAGELK:00000001402B84BC                 lea     rcx, [rsp+98h+var_64] ; char *
PAGELK:00000001402B84C1                 mov     r8, rdi         ; size_t
PAGELK:00000001402B84C4                 call    strncmp
PAGELK:00000001402B84C9                 cmp     eax, r13d
PAGELK:00000001402B84CC                 jnz     loc_1402B8AE8
PAGELK:00000001402B84D2                 mov     byte ptr [rbx+63Dh], 3
PAGELK:00000001402B84D9
PAGELK:00000001402B84D9 loc_1402B84D9:                          ; CODE XREF: sub_1402B8410+81j
PAGELK:00000001402B84D9                                         ; sub_1402B8410+A3j
PAGELK:00000001402B84D9                 lea     r8, [rsp+98h+var_68]
PAGELK:00000001402B84DE                 xor     edx, edx
PAGELK:00000001402B84E0                 mov     ecx, r15d
PAGELK:00000001402B84E3                 call    KiCpuId
PAGELK:00000001402B84E8                 mov     ebp, [rsp+98h+var_68]
PAGELK:00000001402B84EC                 mov     r8d, 0Fh
PAGELK:00000001402B84F2                 mov     edi, ebp
PAGELK:00000001402B84F4                 mov     edx, 0F0h
PAGELK:00000001402B84F9                 shr     edi, 8
PAGELK:00000001402B84FC                 mov     esi, edi
PAGELK:00000001402B84FE                 and     esi, r8d
PAGELK:00000001402B8501                 cmp     esi, r8d
PAGELK:00000001402B8504                 jnz     short loc_1402B8522
PAGELK:00000001402B8506                 and     edi, 0F00h
PAGELK:00000001402B850C                 mov     eax, ebp
PAGELK:00000001402B850E                 shr     eax, 14h
PAGELK:00000001402B8511                 movzx   esi, al
PAGELK:00000001402B8514                 mov     eax, ebp
PAGELK:00000001402B8516                 and     eax, edx
PAGELK:00000001402B8518                 add     esi, r8d
PAGELK:00000001402B851B                 or      edi, eax
PAGELK:00000001402B851D                 shr     edi, 4
PAGELK:00000001402B8520                 jmp     short loc_1402B852A
PAGELK:00000001402B8522 ; ---------------------------------------------------------------------------
PAGELK:00000001402B8522
PAGELK:00000001402B8522 loc_1402B8522:                          ; CODE XREF: sub_1402B8410+F4j
PAGELK:00000001402B8522                 mov     edi, ebp
PAGELK:00000001402B8524                 shr     edi, 4
PAGELK:00000001402B8527                 and     edi, r8d
PAGELK:00000001402B852A
PAGELK:00000001402B852A loc_1402B852A:                          ; CODE XREF: sub_1402B8410+110j
PAGELK:00000001402B852A                 mov     cl, [rbx+63Dh]
PAGELK:00000001402B8530                 cmp     cl, 2
PAGELK:00000001402B8533                 jnz     short loc_1402B8543
PAGELK:00000001402B8535                 cmp     esi, 6
PAGELK:00000001402B8538                 jnz     short loc_1402B8543
PAGELK:00000001402B853A                 mov     eax, ebp
PAGELK:00000001402B853C                 shr     eax, 0Ch
PAGELK:00000001402B853F                 and     eax, edx
PAGELK:00000001402B8541                 or      edi, eax
PAGELK:00000001402B8543
PAGELK:00000001402B8543 loc_1402B8543:                          ; CODE XREF: sub_1402B8410+123j
PAGELK:00000001402B8543                                         ; sub_1402B8410+128j
PAGELK:00000001402B8543                 and     ebp, r8d
PAGELK:00000001402B8546                 movzx   eax, di
PAGELK:00000001402B8549                 mov     [rbx+5F1h], r15b
PAGELK:00000001402B8550                 shl     ax, 8
PAGELK:00000001402B8554                 mov     [rbx+5F0h], sil
PAGELK:00000001402B855B                 mov     r14b, r13b
PAGELK:00000001402B855E                 or      ax, bp
PAGELK:00000001402B8561                 mov     [rbx+5F2h], ax
PAGELK:00000001402B8568                 cmp     cl, 2
PAGELK:00000001402B856B                 jnz     loc_1402B861D
PAGELK:00000001402B8571                 cmp     esi, r8d
PAGELK:00000001402B8574                 jnb     short loc_1402B8584
PAGELK:00000001402B8576                 cmp     esi, 6
PAGELK:00000001402B8579                 jnz     loc_1402B8653
PAGELK:00000001402B857F                 cmp     edi, 0Dh
PAGELK:00000001402B8582                 jbe     short loc_1402B85A9
PAGELK:00000001402B8584
PAGELK:00000001402B8584 loc_1402B8584:                          ; CODE XREF: sub_1402B8410+164j
PAGELK:00000001402B8584                 mov     ecx, 1A0h
PAGELK:00000001402B8589                 rdmsr
PAGELK:00000001402B858B                 shl     rdx, 20h
PAGELK:00000001402B858F                 or      rax, rdx
PAGELK:00000001402B8592                 btr     rax, 16h
PAGELK:00000001402B8597                 mov     rdx, rax
PAGELK:00000001402B859A                 shr     rdx, 20h
PAGELK:00000001402B859E                 wrmsr
PAGELK:00000001402B85A0                 cmp     esi, 6
PAGELK:00000001402B85A3                 jnz     loc_1402B8653
PAGELK:00000001402B85A9
PAGELK:00000001402B85A9 loc_1402B85A9:                          ; CODE XREF: sub_1402B8410+172j
PAGELK:00000001402B85A9                 cmp     edi, r8d
PAGELK:00000001402B85AC                 jz      short loc_1402B85C1
PAGELK:00000001402B85AE                 cmp     edi, 16h
PAGELK:00000001402B85B1                 jz      short loc_1402B85C1
PAGELK:00000001402B85B3                 cmp     edi, 17h
PAGELK:00000001402B85B6                 jz      short loc_1402B85C1
PAGELK:00000001402B85B8                 cmp     edi, 1Ah
PAGELK:00000001402B85BB                 jnz     loc_1402B8653
PAGELK:00000001402B85C1
PAGELK:00000001402B85C1 loc_1402B85C1:                          ; CODE XREF: sub_1402B8410+19Cj
PAGELK:00000001402B85C1                                         ; sub_1402B8410+1A1j ...
PAGELK:00000001402B85C1                 mov     r14b, r15b
PAGELK:00000001402B85C4                 cmp     [rbx+24h], r13d
PAGELK:00000001402B85C8                 jnz     loc_1402B8653
PAGELK:00000001402B85CE                 mov     cs:dword_1402B16B4, 1C9h
PAGELK:00000001402B85D8                 mov     cs:dword_1402B147C, 1DDh
PAGELK:00000001402B85E2                 mov     cs:dword_1402B1478, 1DEh
PAGELK:00000001402B85EC                 cmp     edi, 1Ah
PAGELK:00000001402B85EF                 jz      short loc_1402B8607
PAGELK:00000001402B85F1                 mov     cs:dword_1402B12A8, 40h
PAGELK:00000001402B85FB                 mov     cs:dword_1402B1350, 60h
PAGELK:00000001402B8605                 jmp     short loc_1402B8653
PAGELK:00000001402B8607 ; ---------------------------------------------------------------------------
PAGELK:00000001402B8607
PAGELK:00000001402B8607 loc_1402B8607:                          ; CODE XREF: sub_1402B8410+1DFj
PAGELK:00000001402B8607                 mov     cs:dword_1402B12A8, 680h
PAGELK:00000001402B8611                 mov     cs:dword_1402B1350, 6C0h
PAGELK:00000001402B861B                 jmp     short loc_1402B8653
PAGELK:00000001402B861D ; ---------------------------------------------------------------------------
PAGELK:00000001402B861D
PAGELK:00000001402B861D loc_1402B861D:                          ; CODE XREF: sub_1402B8410+15Bj
PAGELK:00000001402B861D                 cmp     cl, r15b
PAGELK:00000001402B8620                 jnz     short loc_1402B8653
PAGELK:00000001402B8622                 mov     r14b, r15b
PAGELK:00000001402B8625                 cmp     [rbx+24h], r13d
PAGELK:00000001402B8629                 jnz     short loc_1402B8653
PAGELK:00000001402B862B                 mov     cs:dword_1402B12A8, 1DBh
PAGELK:00000001402B8635                 mov     cs:dword_1402B1350, 1DCh
PAGELK:00000001402B863F                 mov     cs:dword_1402B147C, 1DDh
PAGELK:00000001402B8649                 mov     cs:dword_1402B1478, 1DEh
PAGELK:00000001402B8653
PAGELK:00000001402B8653 loc_1402B8653:                          ; CODE XREF: sub_1402B8410+169j
PAGELK:00000001402B8653                                         ; sub_1402B8410+193j ...
PAGELK:00000001402B8653                 lea     r8, [rsp+98h+var_68]
PAGELK:00000001402B8658                 xor     edx, edx
PAGELK:00000001402B865A                 xor     ecx, ecx
PAGELK:00000001402B865C                 call    KiCpuId
PAGELK:00000001402B8661                 cmp     byte ptr [rbx+63Dh], 2
PAGELK:00000001402B8668                 mov     r13d, [rsp+98h+var_68]
PAGELK:00000001402B866D                 jnz     short loc_1402B86AB
PAGELK:00000001402B866F                 xor     eax, eax
PAGELK:00000001402B8671                 mov     r15d, 8Bh
PAGELK:00000001402B8677                 mov     rdx, rax
PAGELK:00000001402B867A                 mov     ecx, r15d
PAGELK:00000001402B867D                 shr     rdx, 20h
PAGELK:00000001402B8681                 wrmsr
PAGELK:00000001402B8683                 lea     r8, [rsp+98h+var_68]
PAGELK:00000001402B8688                 lea     ecx, [rax+1]
PAGELK:00000001402B868B                 xor     edx, edx
PAGELK:00000001402B868D                 call    KiCpuId
PAGELK:00000001402B8692                 mov     ecx, r15d
PAGELK:00000001402B8695                 rdmsr
PAGELK:00000001402B8697                 shl     rdx, 20h
PAGELK:00000001402B869B                 mov     r15d, 1
PAGELK:00000001402B86A1                 or      rax, rdx
PAGELK:00000001402B86A4                 mov     [rbx+4BD0h], rax
PAGELK:00000001402B86AB
PAGELK:00000001402B86AB loc_1402B86AB:                          ; CODE XREF: sub_1402B8410+25Dj
PAGELK:00000001402B86AB                 cmp     [rbx+63Dh], r15b
PAGELK:00000001402B86B2                 jnz     short loc_1402B86CA
PAGELK:00000001402B86B4                 cmp     esi, 0Fh
PAGELK:00000001402B86B7                 ja      short loc_1402B86CA
PAGELK:00000001402B86B9                 cmp     edi, 5
PAGELK:00000001402B86BC                 ja      short loc_1402B86CA
PAGELK:00000001402B86BE                 cmp     ebp, 8
PAGELK:00000001402B86C1                 ja      short loc_1402B86CA
PAGELK:00000001402B86C3                 or      cs:byte_1402B105F, r15b
PAGELK:00000001402B86CA
PAGELK:00000001402B86CA loc_1402B86CA:                          ; CODE XREF: sub_1402B8410+2A2j
PAGELK:00000001402B86CA                                         ; sub_1402B8410+2A7j ...
PAGELK:00000001402B86CA                 lea     r8, [rsp+98h+var_58]
PAGELK:00000001402B86CF                 xor     edx, edx
PAGELK:00000001402B86D1                 mov     ecx, r15d
PAGELK:00000001402B86D4                 call    KiCpuId
PAGELK:00000001402B86D9                 lea     r8, [rsp+98h+BugCheckParameter1+4]
PAGELK:00000001402B86DE                 xor     edx, edx
PAGELK:00000001402B86E0                 mov     ecx, 80000000h
PAGELK:00000001402B86E5                 call    KiCpuId
PAGELK:00000001402B86EA                 mov     ebp, dword ptr [rsp+98h+BugCheckParameter1+4]
PAGELK:00000001402B86EE                 lea     r8, [rsp+98h+BugCheckParameter1+4]
PAGELK:00000001402B86F3                 xor     edx, edx
PAGELK:00000001402B86F5                 mov     ecx, 80000001h
PAGELK:00000001402B86FA                 mov     [rsp+98h+arg_8], ebp
PAGELK:00000001402B8701                 call    KiCpuId
PAGELK:00000001402B8706                 mov     edx, dword ptr [rsp+98h+BugCheckParameter1+4]
PAGELK:00000001402B870A                 mov     rcx, rbx
PAGELK:00000001402B870D                 call    sub_1402B77A0
PAGELK:00000001402B8712                 mov     r9d, [rsp+98h+var_54]
PAGELK:00000001402B8717                 mov     r8d, dword ptr [rsp+98h+BugCheckParameter1]
PAGELK:00000001402B871C                 mov     ecx, 789F3FDh
PAGELK:00000001402B8721                 mov     eax, r9d
PAGELK:00000001402B8724                 shr     eax, 18h
PAGELK:00000001402B8727                 mov     [rbx+650h], eax
PAGELK:00000001402B872D                 mov     eax, r9d
PAGELK:00000001402B8730                 shr     eax, 5
PAGELK:00000001402B8733                 and     eax, 7F8h
PAGELK:00000001402B8738                 mov     [rbx+644h], eax
PAGELK:00000001402B873E                 mov     eax, r8d
PAGELK:00000001402B8741                 and     eax, ecx
PAGELK:00000001402B8743                 cmp     eax, ecx
PAGELK:00000001402B8745                 jnz     loc_1402B8ACF
PAGELK:00000001402B874B                 mov     eax, [rsp+98h+var_3C]
PAGELK:00000001402B874F                 bt      eax, 0Bh
PAGELK:00000001402B8753                 jnb     loc_1402B8ACF
PAGELK:00000001402B8759                 bt      r8d, 15h
PAGELK:00000001402B875E                 mov     edi, 13DFEh
PAGELK:00000001402B8763                 mov     ecx, 13FFEh
PAGELK:00000001402B8768                 cmovb   edi, ecx
PAGELK:00000001402B876B                 mov     [rsp+98h+arg_0], edi
PAGELK:00000001402B8772                 test    byte ptr [rsp+98h+var_50], r15b
PAGELK:00000001402B8777                 jz      short loc_1402B8784
PAGELK:00000001402B8779                 bts     edi, 13h
PAGELK:00000001402B877D                 mov     [rsp+98h+arg_0], edi
PAGELK:00000001402B8784
PAGELK:00000001402B8784 loc_1402B8784:                          ; CODE XREF: sub_1402B8410+367j
PAGELK:00000001402B8784                 bt      [rsp+98h+var_50], 0Dh
PAGELK:00000001402B878A                 jnb     short loc_1402B8797
PAGELK:00000001402B878C                 bts     edi, 14h
PAGELK:00000001402B8790                 mov     [rsp+98h+arg_0], edi
PAGELK:00000001402B8797
PAGELK:00000001402B8797 loc_1402B8797:                          ; CODE XREF: sub_1402B8410+37Aj
PAGELK:00000001402B8797                 bt      eax, 1Fh
PAGELK:00000001402B879B                 jnb     short loc_1402B87A8
PAGELK:00000001402B879D                 bts     edi, 0Eh
PAGELK:00000001402B87A1                 mov     [rsp+98h+arg_0], edi
PAGELK:00000001402B87A8
PAGELK:00000001402B87A8 loc_1402B87A8:                          ; CODE XREF: sub_1402B8410+38Bj
PAGELK:00000001402B87A8                 xor     esi, esi
PAGELK:00000001402B87AA                 cmp     [rbx+24h], esi
PAGELK:00000001402B87AD                 jz      short loc_1402B87B9
PAGELK:00000001402B87AF                 bt      cs:dword_1402B1044, 1Dh
PAGELK:00000001402B87B7                 jnb     short loc_1402B87CA
PAGELK:00000001402B87B9
PAGELK:00000001402B87B9 loc_1402B87B9:                          ; CODE XREF: sub_1402B8410+39Dj
PAGELK:00000001402B87B9                 bt      eax, 14h
PAGELK:00000001402B87BD                 jnb     short loc_1402B87CA
PAGELK:00000001402B87BF                 bts     edi, 1Dh
PAGELK:00000001402B87C3                 mov     [rsp+98h+arg_0], edi
PAGELK:00000001402B87CA
PAGELK:00000001402B87CA loc_1402B87CA:                          ; CODE XREF: sub_1402B8410+3A7j
PAGELK:00000001402B87CA                                         ; sub_1402B8410+3ADj
PAGELK:00000001402B87CA                 bt      eax, 19h
PAGELK:00000001402B87CE                 jnb     short loc_1402B87EC
PAGELK:00000001402B87D0                 mov     ecx, 0C0000080h
PAGELK:00000001402B87D5                 rdmsr
PAGELK:00000001402B87D7                 shl     rdx, 20h
PAGELK:00000001402B87DB                 or      rax, rdx
PAGELK:00000001402B87DE                 bts     rax, 0Eh
PAGELK:00000001402B87E3                 mov     rdx, rax
PAGELK:00000001402B87E6                 shr     rdx, 20h
PAGELK:00000001402B87EA                 wrmsr
PAGELK:00000001402B87EC
PAGELK:00000001402B87EC loc_1402B87EC:                          ; CODE XREF: sub_1402B8410+3BEj
PAGELK:00000001402B87EC                 mov     al, [rbx+63Dh]
PAGELK:00000001402B87F2                 mov     [rbx+63Eh], r15b
PAGELK:00000001402B87F9                 mov     [rbx+63Fh], r15b
PAGELK:00000001402B8800                 cmp     al, 2
PAGELK:00000001402B8802                 jnz     loc_1402B8918
PAGELK:00000001402B8808                 bts     edi, 18h
PAGELK:00000001402B880C                 mov     [rsp+98h+arg_0], edi
PAGELK:00000001402B8813                 cmp     r13d, 0Bh
PAGELK:00000001402B8817                 jb      loc_1402B88B1
PAGELK:00000001402B881D                 xor     edx, edx
PAGELK:00000001402B881F                 lea     r8, [rsp+98h+var_68]
PAGELK:00000001402B8824                 lea     ecx, [rdx+0Bh]
PAGELK:00000001402B8827                 call    KiCpuId
PAGELK:00000001402B882C                 cmp     dword ptr [rsp+98h+var_64], esi
PAGELK:00000001402B8830                 jz      short loc_1402B88A7
PAGELK:00000001402B8832                 mov     eax, [rsp+98h+var_5C]
PAGELK:00000001402B8836                 xor     ebp, ebp
PAGELK:00000001402B8838                 mov     [rbx+650h], eax
PAGELK:00000001402B883E
PAGELK:00000001402B883E loc_1402B883E:                          ; CODE XREF: sub_1402B8410+479j
PAGELK:00000001402B883E                 lea     r8, [rsp+98h+var_68]
PAGELK:00000001402B8843                 mov     edx, esi
PAGELK:00000001402B8845                 mov     ecx, 0Bh
PAGELK:00000001402B884A                 call    KiCpuId
PAGELK:00000001402B884F                 mov     eax, [rsp+98h+var_60]
PAGELK:00000001402B8853                 add     esi, r15d
PAGELK:00000001402B8856                 shr     eax, 8
PAGELK:00000001402B8859                 sub     eax, r15d
PAGELK:00000001402B885C                 jz      short loc_1402B8872
PAGELK:00000001402B885E                 cmp     eax, r15d
PAGELK:00000001402B8861                 jnz     short loc_1402B8884
PAGELK:00000001402B8863                 mov     ecx, [rsp+98h+var_68]
PAGELK:00000001402B8867                 mov     r12d, r15d
PAGELK:00000001402B886A                 and     ecx, 0Fh
PAGELK:00000001402B886D                 shl     r12d, cl
PAGELK:00000001402B8870                 jmp     short loc_1402B8884
PAGELK:00000001402B8872 ; ---------------------------------------------------------------------------
PAGELK:00000001402B8872
PAGELK:00000001402B8872 loc_1402B8872:                          ; CODE XREF: sub_1402B8410+44Cj
PAGELK:00000001402B8872                 mov     ecx, [rsp+98h+var_68]
PAGELK:00000001402B8876                 mov     edx, r15d
PAGELK:00000001402B8879                 and     ecx, 0Fh
PAGELK:00000001402B887C                 shl     dl, cl
PAGELK:00000001402B887E                 mov     [rbx+63Fh], dl
PAGELK:00000001402B8884
PAGELK:00000001402B8884 loc_1402B8884:                          ; CODE XREF: sub_1402B8410+451j
PAGELK:00000001402B8884                                         ; sub_1402B8410+460j
PAGELK:00000001402B8884                 cmp     word ptr [rsp+98h+var_64], bp
PAGELK:00000001402B8889                 jnz     short loc_1402B883E
PAGELK:00000001402B888B                 movzx   ecx, byte ptr [rbx+63Fh]
PAGELK:00000001402B8892                 mov     ebp, [rsp+98h+arg_8]
PAGELK:00000001402B8899                 xor     edx, edx
PAGELK:00000001402B889B                 mov     eax, r12d
PAGELK:00000001402B889E                 div     ecx
PAGELK:00000001402B88A0                 xor     esi, esi
PAGELK:00000001402B88A2                 jmp     loc_1402B8953
PAGELK:00000001402B88A7 ; ---------------------------------------------------------------------------
PAGELK:00000001402B88A7
PAGELK:00000001402B88A7 loc_1402B88A7:                          ; CODE XREF: sub_1402B8410+420j
PAGELK:00000001402B88A7                 mov     r8d, dword ptr [rsp+98h+BugCheckParameter1]
PAGELK:00000001402B88AC                 mov     r9d, [rsp+98h+var_54]
PAGELK:00000001402B88B1
PAGELK:00000001402B88B1 loc_1402B88B1:                          ; CODE XREF: sub_1402B8410+407j
PAGELK:00000001402B88B1                 mov     ecx, 4
PAGELK:00000001402B88B6                 cmp     r13d, ecx
PAGELK:00000001402B88B9                 jb      short loc_1402B88EA
PAGELK:00000001402B88BB                 lea     r8, [rsp+98h+var_68]
PAGELK:00000001402B88C0                 xor     edx, edx
PAGELK:00000001402B88C2                 call    KiCpuId
PAGELK:00000001402B88C7                 mov     eax, [rsp+98h+var_68]
PAGELK:00000001402B88CB                 mov     r8d, dword ptr [rsp+98h+BugCheckParameter1]
PAGELK:00000001402B88D0                 mov     r9d, [rsp+98h+var_54]
PAGELK:00000001402B88D5                 shr     eax, 1Ah
PAGELK:00000001402B88D8                 lea     eax, [rax+rax+1]
PAGELK:00000001402B88DC                 bsr     ecx, eax
PAGELK:00000001402B88DF                 mov     eax, r15d
PAGELK:00000001402B88E2                 shl     al, cl
PAGELK:00000001402B88E4                 mov     [rbx+63Eh], al
PAGELK:00000001402B88EA
PAGELK:00000001402B88EA loc_1402B88EA:                          ; CODE XREF: sub_1402B8410+4A9j
PAGELK:00000001402B88EA                 bt      r8d, 1Ch
PAGELK:00000001402B88EF                 jnb     short loc_1402B8959
PAGELK:00000001402B88F1                 shr     r9d, 10h
PAGELK:00000001402B88F5                 xor     edx, edx
PAGELK:00000001402B88F7                 movzx   eax, r9b
PAGELK:00000001402B88FB                 lea     eax, [rax+rax-1]
PAGELK:00000001402B88FF                 bsr     ecx, eax
PAGELK:00000001402B8902                 mov     eax, r15d
PAGELK:00000001402B8905                 shl     eax, cl
PAGELK:00000001402B8907                 movzx   ecx, byte ptr [rbx+63Eh]
PAGELK:00000001402B890E                 div     ecx
PAGELK:00000001402B8910                 mov     [rbx+63Fh], al
PAGELK:00000001402B8916                 jmp     short loc_1402B8959
PAGELK:00000001402B8918 ; ---------------------------------------------------------------------------
PAGELK:00000001402B8918
PAGELK:00000001402B8918 loc_1402B8918:                          ; CODE XREF: sub_1402B8410+3F2j
PAGELK:00000001402B8918                 cmp     al, r15b
PAGELK:00000001402B891B                 jnz     short loc_1402B8959
PAGELK:00000001402B891D                 cmp     ebp, 80000008h
PAGELK:00000001402B8923                 jb      short loc_1402B8959
PAGELK:00000001402B8925                 lea     r8, [rsp+98h+var_68]
PAGELK:00000001402B892A                 xor     edx, edx
PAGELK:00000001402B892C                 mov     ecx, 80000008h
PAGELK:00000001402B8931                 call    KiCpuId
PAGELK:00000001402B8936                 mov     ecx, [rsp+98h+var_60]
PAGELK:00000001402B893A                 shr     ecx, 0Ch
PAGELK:00000001402B893D                 and     ecx, 0Fh
PAGELK:00000001402B8940                 jnz     short loc_1402B894E
PAGELK:00000001402B8942                 movzx   eax, byte ptr [rsp+98h+var_60]
PAGELK:00000001402B8947                 lea     eax, [rax+rax+1]
PAGELK:00000001402B894B                 bsr     ecx, eax
PAGELK:00000001402B894E
PAGELK:00000001402B894E loc_1402B894E:                          ; CODE XREF: sub_1402B8410+530j
PAGELK:00000001402B894E                 mov     eax, r15d
PAGELK:00000001402B8951                 shl     al, cl
PAGELK:00000001402B8953
PAGELK:00000001402B8953 loc_1402B8953:                          ; CODE XREF: sub_1402B8410+492j
PAGELK:00000001402B8953                 mov     [rbx+63Eh], al
PAGELK:00000001402B8959
PAGELK:00000001402B8959 loc_1402B8959:                          ; CODE XREF: sub_1402B8410+4DFj
PAGELK:00000001402B8959                                         ; sub_1402B8410+506j ...
PAGELK:00000001402B8959                 cmp     [rbx+63Dh], r15b
PAGELK:00000001402B8960                 jnz     short loc_1402B896D
PAGELK:00000001402B8962                 bts     edi, 15h
PAGELK:00000001402B8966                 mov     [rsp+98h+arg_0], edi
PAGELK:00000001402B896D
PAGELK:00000001402B896D loc_1402B896D:                          ; CODE XREF: sub_1402B8410+550j
PAGELK:00000001402B896D                 movzx   r8d, byte ptr [rbx+63Fh]
PAGELK:00000001402B8975                 movzx   ecx, byte ptr [rbx+63Eh]
PAGELK:00000001402B897C                 mov     edx, cs:dword_1402B106C
PAGELK:00000001402B8982                 imul    ecx, r8d
PAGELK:00000001402B8986                 movzx   eax, dl
PAGELK:00000001402B8989                 cmp     ecx, eax
PAGELK:00000001402B898B                 jle     short loc_1402B89AA
PAGELK:00000001402B898D                 cmp     r8d, edx
PAGELK:00000001402B8990                 jbe     short loc_1402B8998
PAGELK:00000001402B8992                 mov     [rbx+63Fh], dl
PAGELK:00000001402B8998
PAGELK:00000001402B8998 loc_1402B8998:                          ; CODE XREF: sub_1402B8410+580j
PAGELK:00000001402B8998                 movzx   r8d, byte ptr [rbx+63Fh]
PAGELK:00000001402B89A0                 cdq
PAGELK:00000001402B89A1                 idiv    r8d
PAGELK:00000001402B89A4                 mov     [rbx+63Eh], al
PAGELK:00000001402B89AA
PAGELK:00000001402B89AA loc_1402B89AA:                          ; CODE XREF: sub_1402B8410+57Bj
PAGELK:00000001402B89AA                 mov     [rbx+654h], r8d
PAGELK:00000001402B89B1                 cmp     [rbx+24h], esi
PAGELK:00000001402B89B4                 jnz     short loc_1402B89BC
PAGELK:00000001402B89B6                 lea     eax, [r8-1]
PAGELK:00000001402B89BA                 jmp     short loc_1402B89D0
PAGELK:00000001402B89BC ; ---------------------------------------------------------------------------
PAGELK:00000001402B89BC
PAGELK:00000001402B89BC loc_1402B89BC:                          ; CODE XREF: sub_1402B8410+5A4j
PAGELK:00000001402B89BC                 call    HalIsHyperThreadingEnabled
PAGELK:00000001402B89C1                 cmp     al, sil
PAGELK:00000001402B89C4                 jz      short loc_1402B89DA
PAGELK:00000001402B89C6                 movzx   eax, byte ptr [rbx+63Fh]
PAGELK:00000001402B89CD                 sub     eax, r15d
PAGELK:00000001402B89D0
PAGELK:00000001402B89D0 loc_1402B89D0:                          ; CODE XREF: sub_1402B8410+5AAj
PAGELK:00000001402B89D0                 not     eax
PAGELK:00000001402B89D2                 mov     [rbx+640h], eax
PAGELK:00000001402B89D8                 jmp     short loc_1402B89F6
PAGELK:00000001402B89DA ; ---------------------------------------------------------------------------
PAGELK:00000001402B89DA
PAGELK:00000001402B89DA loc_1402B89DA:                          ; CODE XREF: sub_1402B8410+5B4j
PAGELK:00000001402B89DA                 movzx   edx, byte ptr [rbx+63Fh]
PAGELK:00000001402B89E1                 movzx   eax, byte ptr [rbx+63Eh]
PAGELK:00000001402B89E8                 imul    edx, eax
PAGELK:00000001402B89EB                 sub     edx, r15d
PAGELK:00000001402B89EE                 not     edx
PAGELK:00000001402B89F0                 mov     [rbx+640h], edx
PAGELK:00000001402B89F6
PAGELK:00000001402B89F6 loc_1402B89F6:                          ; CODE XREF: sub_1402B8410+5C8j
PAGELK:00000001402B89F6                 mov     al, [rbx+63Dh]
PAGELK:00000001402B89FC                 mov     r12b, 2
PAGELK:00000001402B89FF                 cmp     al, r12b
PAGELK:00000001402B8A02                 jnz     short loc_1402B8A0C
PAGELK:00000001402B8A04                 cmp     ebp, 80000008h
PAGELK:00000001402B8A0A                 jnb     short loc_1402B8A19
PAGELK:00000001402B8A0C
PAGELK:00000001402B8A0C loc_1402B8A0C:                          ; CODE XREF: sub_1402B8410+5F2j
PAGELK:00000001402B8A0C                 cmp     al, r15b
PAGELK:00000001402B8A0F                 jnz     short loc_1402B8A3A
PAGELK:00000001402B8A11                 cmp     ebp, 80000008h
PAGELK:00000001402B8A17                 jb      short loc_1402B8A36
PAGELK:00000001402B8A19
PAGELK:00000001402B8A19 loc_1402B8A19:                          ; CODE XREF: sub_1402B8410+5FAj
PAGELK:00000001402B8A19                 lea     r8, [rsp+98h+var_68]
PAGELK:00000001402B8A1E                 xor     edx, edx
PAGELK:00000001402B8A20                 mov     ecx, 80000008h
PAGELK:00000001402B8A25                 call    KiCpuId
PAGELK:00000001402B8A2A                 mov     cl, byte ptr [rsp+98h+var_68]
PAGELK:00000001402B8A2E
PAGELK:00000001402B8A2E loc_1402B8A2E:                          ; CODE XREF: sub_1402B8410+628j
PAGELK:00000001402B8A2E                 mov     cs:byte_1401ECFEE, cl
PAGELK:00000001402B8A34                 jmp     short loc_1402B8A40
PAGELK:00000001402B8A36 ; ---------------------------------------------------------------------------
PAGELK:00000001402B8A36
PAGELK:00000001402B8A36 loc_1402B8A36:                          ; CODE XREF: sub_1402B8410+607j
PAGELK:00000001402B8A36                 mov     cl, 28h
PAGELK:00000001402B8A38                 jmp     short loc_1402B8A2E
PAGELK:00000001402B8A3A ; ---------------------------------------------------------------------------
PAGELK:00000001402B8A3A
PAGELK:00000001402B8A3A loc_1402B8A3A:                          ; CODE XREF: sub_1402B8410+5FFj
PAGELK:00000001402B8A3A                 mov     cl, cs:byte_1401ECFEE
PAGELK:00000001402B8A40
PAGELK:00000001402B8A40 loc_1402B8A40:                          ; CODE XREF: sub_1402B8410+624j
PAGELK:00000001402B8A40                 mov     rax, r15
PAGELK:00000001402B8A43                 shl     rax, cl
PAGELK:00000001402B8A46                 sub     rax, r15
PAGELK:00000001402B8A49                 and     rax, 0FFFFFFFFFFFFF000h
PAGELK:00000001402B8A4F                 mov     cs:qword_1401F0F08, rax
PAGELK:00000001402B8A56                 mov     cs:qword_1401F0F10, rax
PAGELK:00000001402B8A5D                 cmp     [rbx+63Dh], r12b
PAGELK:00000001402B8A64                 jnz     short loc_1402B8A8D
PAGELK:00000001402B8A66                 cmp     r13d, 6
PAGELK:00000001402B8A6A                 jb      short loc_1402B8A8D
PAGELK:00000001402B8A6C                 xor     edx, edx
PAGELK:00000001402B8A6E                 lea     r8, [rsp+98h+var_68]
PAGELK:00000001402B8A73                 lea     ecx, [rdx+6]
PAGELK:00000001402B8A76                 call    KiCpuId
PAGELK:00000001402B8A7B                 test    byte ptr [rsp+98h+var_60], r12b
PAGELK:00000001402B8A80                 jz      short loc_1402B8A8D
PAGELK:00000001402B8A82                 bts     edi, 16h
PAGELK:00000001402B8A86                 mov     [rsp+98h+arg_0], edi
PAGELK:00000001402B8A8D
PAGELK:00000001402B8A8D loc_1402B8A8D:                          ; CODE XREF: sub_1402B8410+654j
PAGELK:00000001402B8A8D                                         ; sub_1402B8410+65Aj ...
PAGELK:00000001402B8A8D                 cmp     r14b, sil
PAGELK:00000001402B8A90                 jz      short loc_1402B8A9D
PAGELK:00000001402B8A92                 bts     edi, 11h		; set bit indicating DebugCtl feature
PAGELK:00000001402B8A96                 mov     [rsp+98h+arg_0], edi
PAGELK:00000001402B8A9D
PAGELK:00000001402B8A9D loc_1402B8A9D:                          ; CODE XREF: sub_1402B8410+680j
PAGELK:00000001402B8A9D                 lea     rcx, [rsp+98h+arg_0]
PAGELK:00000001402B8AA5                 call    sub_140109A00
PAGELK:00000001402B8AAA                 mov     ecx, [rsp+98h+arg_0]
PAGELK:00000001402B8AB1                 mov     [rbx+4BC8h], ecx	; rbx = prcb = MSR_C0000101+180h
PAGELK:00000001402B8AB7                 mov     rbx, [rsp+98h+arg_10]
PAGELK:00000001402B8ABF                 add     rsp, 60h
PAGELK:00000001402B8AC3                 pop     r15
PAGELK:00000001402B8AC5                 pop     r14
PAGELK:00000001402B8AC7                 pop     r13
PAGELK:00000001402B8AC9                 pop     r12
PAGELK:00000001402B8ACB                 pop     rdi
PAGELK:00000001402B8ACC                 pop     rsi
PAGELK:00000001402B8ACD                 pop     rbp
PAGELK:00000001402B8ACE                 retn



few bytes ago it is seen bts edi, 11h \ mov [rsp+98h],edi \ ... \ mov ecx,[rsp+98h] \ mov [rbx+4BC8h],ecx

the bit 11h of edi is set if r14b <> sil
sil=0 because of xor esi,esi
so r14b mustn't be 0
r14b is written by mov r14b,r15b
r15=1 by lea r15d,[r13+1] becuase r13=0 (xor r13d,r13d)

mov r14b,r15b occures only for:

PAGELK:00000001402B8576                 cmp     esi, 6
PAGELK:00000001402B8579                 jnz     loc_1402B8653

CPU family = 06h

PAGELK:00000001402B85A9 loc_1402B85A9:                          ; CODE XREF: sub_1402B8410+172j
PAGELK:00000001402B85A9                 cmp     edi, r8d
PAGELK:00000001402B85AC                 jz      short loc_1402B85C1
PAGELK:00000001402B85AE                 cmp     edi, 16h
PAGELK:00000001402B85B1                 jz      short loc_1402B85C1
PAGELK:00000001402B85B3                 cmp     edi, 17h
PAGELK:00000001402B85B6                 jz      short loc_1402B85C1
PAGELK:00000001402B85B8                 cmp     edi, 1Ah
PAGELK:00000001402B85BB                 jnz     loc_1402B8653
PAGELK:00000001402B85C1

r8d=0Fh

cpu model = 0Fh, 16h, 17h, 1Ah



the family 06h model 16h is not documented in Intel manuals (maybe a CPU sample sent from Intel to Microsoft ?) so this unpublic CPU model I use to add the missing support for the present CPU




solution is to patch 2 bytes:


;-------

original
        cmp	edi, 16h
	jz	...
new
	cmp	edi,cpu_model

where value of cpu_model will be obtained from cpuid 1
	mov	eax,1
	cpuid
	shr	eax,4				; shift bits 19-16 into bits 15-12, bits 7-4 into bits 3-0
	and	eax,1111000000001111b
	or	al,ah
; al = cpu_model

;-------

original
	cmp     edi, 1Ah
	jz	short loc_1402B8607
	mov	cs:dword_1402B12A8, 40h		; Core2Duo
	mov	cs:dword_1402B1350, 60h
	jmp	short loc_1402B8653
loc_1402B8607:
	mov	cs:dword_1402B12A8, 680h	; Core i3/i5/i7, Xeons based on Core i architecture
	mov	cs:dword_1402B1350, 6C0h
	jmp	short loc_1402B8653

new
	cmp     edi, 1Ah
	jnc	short loc_1402B8607		; because model 1Ah and models above have MSRs680h/6C0h
